EP3384383B1 - Method for managing a package in a secure element - Google Patents

Method for managing a package in a secure element Download PDF

Info

Publication number
EP3384383B1
EP3384383B1 EP16802064.2A EP16802064A EP3384383B1 EP 3384383 B1 EP3384383 B1 EP 3384383B1 EP 16802064 A EP16802064 A EP 16802064A EP 3384383 B1 EP3384383 B1 EP 3384383B1
Authority
EP
European Patent Office
Prior art keywords
package
component
secure element
operating system
items
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
EP16802064.2A
Other languages
German (de)
French (fr)
Other versions
EP3384383A1 (en
Inventor
Christophe Franchi
François-Xavier Marseille
Fabrice Vergnes
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Thales DIS France SA
Original Assignee
Thales DIS France SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Thales DIS France SA filed Critical Thales DIS France SA
Publication of EP3384383A1 publication Critical patent/EP3384383A1/en
Application granted granted Critical
Publication of EP3384383B1 publication Critical patent/EP3384383B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/23Updating
    • G06F16/2365Ensuring data consistency and integrity

Definitions

  • the present invention relates to methods of managing a package in a secure element. It relates particularly to methods of handling a package when the operating system of the secure element is updated.
  • Secure elements are small devices comprising a memory, a microprocessor and an operating system for computing treatments. Such secure elements may comprise a plurality of memories of different types, like nonvolatile memory and volatile memory. They are called “secure” because they are able to control the access to the data they contain and to authorize or not the use of data by other machines.
  • the secure elements may also provide computation services based on cryptographic components. In general, secure elements have limited computing resources and limited memory resources and they are intended to be connected to a host machine which provides them with electric power. Secure elements may be removable or fixed to a host machine. For example, smart cards are a kind of secure elements.
  • a secure element may contain applications and their associated applicative data which encompass user data, file systems and secret key.
  • Such an application may be developed as a package or a set of packages which is stored into the secure element.
  • One or several instances of the application are then created as needed. Each instance owns, handles and store its own instance data.
  • Secure elements may be accessed by a remote server via a wireless channel or through a wired network, like Internet for instance.
  • secure elements which are intended to be used in Telecom domain or Machine-To-Machine (M2M) domain are able to manage an OTA (Over-The-Air) channel.
  • M2M Machine-To-Machine
  • OTA Over-The-Air
  • secure elements may also be accessed through the HyperText Transfer Protocol, usually called HTTP or HTTPS for the secure mode.
  • HTTP or HTTPS HyperText Transfer Protocol
  • a distant server can remotely manage the content of a secure element like an UICC (Universal Integrated Circuit Card) through a dedicated communication session using a specific protocol.
  • UICC Universal Integrated Circuit Card
  • the server may use the RAM (Remote Applet Management) mechanism as defined by GlobalPlatform ® v 2.2 standard - Amendment B "RAM over HTTP" or the OMA-DM (Open Mobile Alliance - Device Management) protocol as defined by OMA-TS-DM V1.2.1 standard.
  • RAM Remote Applet Management
  • OMA-DM Open Mobile Alliance - Device Management
  • a package may be loaded in a secure element through a CAP file.
  • the package installation comprises a step of linking the package to the operating system. This linking step allows to map symbolic addresses used in the CAP file into physical addresses depending on the current operating system. This linking step is carried out only once in the secure element then several components (Header, Directory, Import, Constant Pool and Reference Location components) of the CAP file are deleted. This allows fast execution at runtime and memory saving.
  • a remote server can send a new version or an upgrade of the operating system of the secure element.
  • the packages linked to the previous operating system are deleted then reloaded in the secure element.
  • This new loading of packages triggers the re-installation of these packages which in turn triggers the linking of these packages to the new operating system.
  • the re-loading of a package may require a large part of the bandwidth on the network. This problem is exacerbated when a large number of secure elements must be upgraded. Moreover, the remote server may have no access to the relevant package if this package has been installed by another entity like a third party.
  • the object of the present invention is a method for managing a package in a secure element comprising an initial operating system.
  • the method comprises a step of updating the initial operating system to generate an updated operating system.
  • the method comprises the step of linking the package to the updated operating system, the linking step being triggered by the step of updating the initial operating system.
  • the package may be created from a CAP file previously downloaded in the secure element.
  • the CAP file may comprise a plurality of components.
  • the method may comprise the step of selecting, from the plurality of components, items that are required to retrieve references to be updated during the linking step and permanently storing said items in the secure element.
  • the method may comprise the step of removing at least one component of the CAP file from the secure element.
  • said items may be related to targets external to the package.
  • the CAP file may comprise an Import component, a Constant Pool component, a Reference Location component, a Class component and a Method component. Said items may be selected from said Import, Constant Pool, Reference Location, Class and Method components.
  • the package may comprise both its own Class component and its own Method component and said linking step may comprise the following sub-steps:
  • said items may be permanently stored in the secure element in a format different from that of the CAP file.
  • Another object of the invention is a secure element comprising a package and an initial operating system.
  • the secure element comprises a first agent adapted to generate an updated operating system by updating the initial operating system.
  • the secure element comprises a second agent adapted to link the package to the updated operating system.
  • the first agent is adapted to trigger the linking of the package at the end of the updating of the initial operating system.
  • the package may be created from a CAP file previously downloaded in the secure element.
  • the CAP file may comprise a plurality of components.
  • the secure element may comprise a third agent adapted to select, from said plurality of components, items that are required to retrieve references to be updated during the linking step, to permanently store said items in the secure element and to remove at least one component of the CAP file from the secure element.
  • the CAP file may comprises an Import component, a Constant Pool component, a Reference Location component, a Class component and a Method component and said third agent may be adapted to select said items from said Import, Constant Pool, Reference Location, Class and Method components.
  • the package may comprise both its own Class component and its own Method component.
  • the second agent may be adapted to:
  • the third agent may be adapted to permanently store said items in the secure element in a format different from that of the CAP file.
  • the invention may apply to any types of secure element intended to embed packages and an operating system which may be upgraded when deployed on the field.
  • secure elements may be coupled to a host machine like a smartphone, a smart watch, a vehicle, a meter, a slot machine, a TV or a computer.
  • a package is a container as defined by object-oriented programming languages.
  • the invention applies to packages as defined in Java Tm and JavaCard Tm languages.
  • Figure 1 shows an example of a flow diagram for managing a package when the operating system of a secure element is upgraded according to the invention.
  • a secure element 20 is supposed to have been issued with an original operating system 30.
  • this original operating system 30 may comprise an object-oriented virtual machine and high level Application programming Interfaces (APIs).
  • APIs Application programming Interfaces
  • the virtual machine may be compliant with JavaCard Tm specifications version 2.2 or upper.
  • a CAP file 40 containing components allowing to create a package 10 is downloaded in the secure element 10.
  • the package 10 may be required to install an application into the secure element 10 for instance.
  • the package 10 is installed in the secure element.
  • the package 10 is created from the components of the CAP file 40 then the package 10 is linked to the initial operating system 30.
  • the CAP file may be processed on-the-fly when loaded in the secure element. Components of the CAP file may be temporary stored so that the CAP file (as such) is no more existing on the secure element once the package is fully created.
  • the package installation operation triggers the step S3 where the secure element 10 selects items 60 from several components of the CAP files 40 (before possible CAP file erasing).
  • these items 60 are extracted from the following component list: Import 51, Constant Pool 52, Reference Location 53, Class 54 and Method 55.
  • items 60 are permanently stored in the secure element 20.
  • items 60 are stored in a nonvolatile memory of the secure element 20.
  • "permanently stored” means that the items are kept in the secure element 20 for a long time. For example, these items are kept until the package 10 is removed from the secure element 20.
  • these items are stored in a customized format which is different from the format of the CAP file so as to minimize their footprint or to ease their parsing.
  • the items 60 are selected so that they refer to references external to the package 10 only. In other word, the selected items 60 are not intended to be used for solving the references which are internal to the package 10. Alternatively, items 60 may be selected so that they refer to both references external to the package and references internal to the package.
  • steps S2 and S3 have been described as two distinct steps they may be considered as a single step.
  • the following new structure may be used to store information which allows to establish a link between the Method component and a Constant Pool component customized for storage of a subset of items 60. This storage format allows to resolve references of the Method component:
  • the Import component which is originally structured as follows:
  • Class component When loading a CAP file, Class component is usually fully kept. However several data of the Class component are linked to the Operating System and then their original values are no more retained. According to an example of the invention, the new process extracts the data (with their original value) that will have to be re-linked later.
  • the Class component may be originally structured as follows:
  • the secure element 20 deletes part 50 of the CAP file components while keeping the selected items 60 in the secure element 20.
  • the following components are removed from the secure element 20: Header and Directory.
  • the secure element 20 does not keep any information coming from these deleted components.
  • a CAP file may contain custom components which are usually kept, they can be also updated. Since these custom components are OS issuer dependent, there is no general rules to manage them.
  • the optional Descriptor component is intended to be used if the on-board byte code verification is active. Consequently, the Descriptor component may be kept for the bytecode checking during runtime.
  • step S5 an upgrade is applied to the original operating system 30 to generate a new (updated) operating system 31.
  • the step S5 is carried out via a bootloader agent which is designed to administrate the operating system of the secure element 20.
  • the updated Operating system 31 is fully sent to the secure element 20.
  • the bootloader is activated so that the behavior of the secure element 20 does not rely on the original operating system 30.
  • the new operating system 31 is downloaded and in the secure element 20 via the bootloader.
  • an activation command is sent to the secure element to switch from bootloader mode to the new operating system 31 mode and a further reset (i.e. hardware reboot) is applied to the secure element so that the secure element takes the new operating system 31 into account by starting the new operating system 31.
  • the step S5 of updating the initial operating system 30 consists of the combination of execution of both the activation command and the reset.
  • the step S5 may be carried out by downloading a bulk of data aiming at slightly modify the initial operating system (like a corrective patch or a new feature).
  • the new/updated feature is active as soon as installed in the secure element (e.g. without requiring a reset).
  • the step S5 of updating the initial operating system 30 consists of the installation of the new/updated feature.
  • the re-linking operation is performed when the updated operating system 31 is active on the secure element 20.
  • step S5 triggers the step S6 where a new linking (also named re-linking) operation of the package 10 to the updated operating system 31 is started.
  • This re-linking operation is carried out using the stored items 60.
  • the re-linking step is automatically triggers by the end of the step S5 and is carried out using data permanently stored in the secure element.
  • the re-linking step is executed as soon as the step S5 is finished (i.e. directly executed).
  • intermediate operations may occur between the end of the step S5 and the re-linking step.
  • the items 60 which are permanently stored according to the invention remain unchanged after the re-linking step so that a further re-linking step can be performed again after another operating system update.
  • step S6 the re-linking operation of step S6 is carried out as follows.
  • the secure element 20 checks consistency (i.e. compatibility) of the package 10 with the updated operating system 31 thanks to items coming from the Import 51 component. This checking aims at controlling that the package is still compliant with the features of the updated operating system 31. In case of error, the re-linking operation aborts. In case of successful consistency checking, the secure element 20 resolves each external reference of the Class component of the package 10 using the stored items 60 and resolves each external reference of the Method component of the package 10 using the stored items 60.
  • the secure element 20 may also resolve internal references of the Class component of the package 10 and the Method component of the package 10 using the stored items 60.
  • the package re-linking process is applied to all packages previously installed in the secure element provided that these packages are compatible with the updated operating system.
  • Figure 2 shows an example a CAP file and a diagram of a secure element according to an example of the invention.
  • a package 10 is then created in the secure element 20 from the CAP file 40.
  • the secure element 20 includes an original operating system 30 and is intended to comprise an updated operating system 31 (shown in dashed line).
  • the updated operating system 31 is assumed to be an upgraded version of the original operating system 30.
  • the secure element 20 is a smart card comprising a communication interface (not shown) configured to exchange data with the outside according to ISO-7816 standards.
  • Both the original operating system 30 and the updated operating system 31 comprise a JavaCard Tm virtual machine VM.
  • the secure element contains first software agent 70 which is configured to update the original operating system 30 to generate the updated operating system 31.
  • the first software agent 70 is able to get a bulk of data coming from a distant machine and to update the original operating system 30 using the received data.
  • the secure element 20 comprises a second software agent 80 which is configured to link the package 10 to the updated operating system 31.
  • the first agent 70 is configured to automatically trigger the second agent 80 for starting a (re-)linking of the package 10 at the end of the generation of the updated operating system 31.
  • the secure element 20 comprises a third software agent 90 which is configured to select, from the plurality of components of the CAP file 40, items 60 that are required to retrieve references to be updated during the (re-)linking step.
  • the third software agent 90 is also configured to permanently store these items 60 in the secure element 20 and to remove at least one component 50 of the CAP file 40 from the secure element 20.
  • the third software agent 90 which is configured to extract these items 60 from the following components of the CAP file 40: the Import component 51, the Constant Pool component 52, the Reference Location component 53, the Class component 54 and the Method component 55.
  • the third software agent 90 is adapted to remove the Header and Directory components (of the CAP file 40) from the secure element 20.
  • the third software agent 90 may be configured to remove all the components of the CAP file 40, assuming that the selected items 60 are kept in the secure element 20 in another storage format.
  • the package 10 is assumed to comprise both its own Class component and its own Method component which may be stored in the secure element 20 according to any storage mechanism.
  • the second agent 80 is designed to process items coming from the Import component 51 to check if the package 10 is compatible with the updated operating system 31. In case of successful consistency (compatibility) checking, the second agent 80 is designed to resolve all external references of the Class component of the package 10 using the items 60 and to resolve all external references of the Method component of the package 10 using the items 60.
  • the invention it is possible to easily and smoothly manage the migration of existing packages when the operating system is updated, by automatically maintaining alive the packages already installed in the 20.
  • the updating operation of the operating system can be performed in a transparent way for the user who keep a full continuity of service since the packages (and their related applications) remain functional.
  • the secure element may comprise several packages which are automatically re-linked as soon as the operating system is updated.
  • the invention applies to package even if no application is instantiated from the package.
  • the invention applies API (Application Programming Interface) package.

Description

    (Field of the invention)
  • The present invention relates to methods of managing a package in a secure element. It relates particularly to methods of handling a package when the operating system of the secure element is updated.
    • (Background of the invention)
  • Secure elements are small devices comprising a memory, a microprocessor and an operating system for computing treatments. Such secure elements may comprise a plurality of memories of different types, like nonvolatile memory and volatile memory. They are called "secure" because they are able to control the access to the data they contain and to authorize or not the use of data by other machines. The secure elements may also provide computation services based on cryptographic components. In general, secure elements have limited computing resources and limited memory resources and they are intended to be connected to a host machine which provides them with electric power. Secure elements may be removable or fixed to a host machine. For example, smart cards are a kind of secure elements.
  • A secure element may contain applications and their associated applicative data which encompass user data, file systems and secret key. Such an application may be developed as a package or a set of packages which is stored into the secure element. One or several instances of the application are then created as needed. Each instance owns, handles and store its own instance data.
  • Secure elements may be accessed by a remote server via a wireless channel or through a wired network, like Internet for instance. For example, secure elements which are intended to be used in Telecom domain or Machine-To-Machine (M2M) domain are able to manage an OTA (Over-The-Air) channel. These secure elements may also be accessed through the HyperText Transfer Protocol, usually called HTTP or HTTPS for the secure mode. Thus, a distant server can remotely manage the content of a secure element like an UICC (Universal Integrated Circuit Card) through a dedicated communication session using a specific protocol. For example, the server may use the RAM (Remote Applet Management) mechanism as defined by GlobalPlatform ® v 2.2 standard - Amendment B "RAM over HTTP" or the OMA-DM (Open Mobile Alliance - Device Management) protocol as defined by OMA-TS-DM V1.2.1 standard.
  • According to JavaCardTm specifications, a package may be loaded in a secure element through a CAP file. The package installation comprises a step of linking the package to the operating system. This linking step allows to map symbolic addresses used in the CAP file into physical addresses depending on the current operating system. This linking step is carried out only once in the secure element then several components (Header, Directory, Import, Constant Pool and Reference Location components) of the CAP file are deleted. This allows fast execution at runtime and memory saving.
  • A remote server can send a new version or an upgrade of the operating system of the secure element. In this case, the packages linked to the previous operating system are deleted then reloaded in the secure element. This new loading of packages triggers the re-installation of these packages which in turn triggers the linking of these packages to the new operating system.
  • The re-loading of a package may require a large part of the bandwidth on the network. This problem is exacerbated when a large number of secure elements must be upgraded. Moreover, the remote server may have no access to the relevant package if this package has been installed by another entity like a third party.
  • There is a need for allowing to maintain a package in a functional state when the operating system of a secure element is updated.
    • (Summary of the Invention)
  • An object of the invention is to solve the above mentioned technical problem. The present invention is defined by the appended independent claims 1 and 6.
  • The object of the present invention is a method for managing a package in a secure element comprising an initial operating system. The method comprises a step of updating the initial operating system to generate an updated operating system. The method comprises the step of linking the package to the updated operating system, the linking step being triggered by the step of updating the initial operating system.
  • Advantageously, the package may be created from a CAP file previously downloaded in the secure element. The CAP file may comprise a plurality of components. The method may comprise the step of selecting, from the plurality of components, items that are required to retrieve references to be updated during the linking step and permanently storing said items in the secure element. The method may comprise the step of removing at least one component of the CAP file from the secure element.
  • Advantageously, said items may be related to targets external to the package.
  • Advantageously, the CAP file may comprise an Import component, a Constant Pool component, a Reference Location component, a Class component and a Method component. Said items may be selected from said Import, Constant Pool, Reference Location, Class and Method components.
  • Advantageously, the package may comprise both its own Class component and its own Method component and said linking step may comprise the following sub-steps:
    • processing the Import component to check consistency of the package with the updated operating system, and in case of successful consistency checking, using said items to:
    • resolve each external reference of the Class component of the package, and
    • resolve each external reference of the Method component of the package.
  • Advantageously, said items may be permanently stored in the secure element in a format different from that of the CAP file.
  • Another object of the invention is a secure element comprising a package and an initial operating system. The secure element comprises a first agent adapted to generate an updated operating system by updating the initial operating system. The secure element comprises a second agent adapted to link the package to the updated operating system. The first agent is adapted to trigger the linking of the package at the end of the updating of the initial operating system.
  • Advantageously, the package may be created from a CAP file previously downloaded in the secure element. The CAP file may comprise a plurality of components. The secure element may comprise a third agent adapted to select, from said plurality of components, items that are required to retrieve references to be updated during the linking step, to permanently store said items in the secure element and to remove at least one component of the CAP file from the secure element.
  • Advantageously, the CAP file may comprises an Import component, a Constant Pool component, a Reference Location component, a Class component and a Method component and said third agent may be adapted to select said items from said Import, Constant Pool, Reference Location, Class and Method components.
  • Advantageously, the package may comprise both its own Class component and its own Method component. The second agent may be adapted to:
    • process data belonging to said items and coming from the Import component to check consistency of the package with the updated operating system, and in case of successful consistency checking using said items to:
    • resolve each external reference of the Class component of the package, and
    • resolve each external reference of the Method component of the package.
  • Advantageously, the third agent may be adapted to permanently store said items in the secure element in a format different from that of the CAP file.
    • (Brief description of the drawings)
  • Other characteristics and advantages of the present invention will emerge more clearly from a reading of the following description of a number of preferred embodiments of the invention with reference to the corresponding accompanying drawings in which:
    • Figure 1 shows an exemplary flow diagram of package managing in a secure element according to the invention, and
    • Figure 2 shows a diagram of a secure element according to an example of the invention.
    (Detailed description of the preferred embodiments)
  • The invention may apply to any types of secure element intended to embed packages and an operating system which may be upgraded when deployed on the field. Such secure elements may be coupled to a host machine like a smartphone, a smart watch, a vehicle, a meter, a slot machine, a TV or a computer.
  • In the present description, a package is a container as defined by object-oriented programming languages. In particular, the invention applies to packages as defined in JavaTm and JavaCardTm languages.
  • Figure 1 shows an example of a flow diagram for managing a package when the operating system of a secure element is upgraded according to the invention.
  • A secure element 20 is supposed to have been issued with an original operating system 30. For example, this original operating system 30 may comprise an object-oriented virtual machine and high level Application programming Interfaces (APIs). For instance, the virtual machine (VM) may be compliant with JavaCardTm specifications version 2.2 or upper.
  • At step S1, a CAP file 40 containing components allowing to create a package 10 is downloaded in the secure element 10. The package 10 may be required to install an application into the secure element 10 for instance.
  • At step S2, the package 10 is installed in the secure element. In other words, the package 10 is created from the components of the CAP file 40 then the package 10 is linked to the initial operating system 30. In one embodiment, the CAP file may be processed on-the-fly when loaded in the secure element. Components of the CAP file may be temporary stored so that the CAP file (as such) is no more existing on the secure element once the package is fully created.
  • The package installation operation triggers the step S3 where the secure element 10 selects items 60 from several components of the CAP files 40 (before possible CAP file erasing). Preferably, these items 60 are extracted from the following component list: Import 51, Constant Pool 52, Reference Location 53, Class 54 and Method 55.
  • These items 60 are required to retrieve all references of the Class component and the Method component that need to be updated during a further linking (i.e. re-linking) operation.
  • These items 60 are permanently stored in the secure element 20. For instance, items 60 are stored in a nonvolatile memory of the secure element 20. In the present description, "permanently stored" means that the items are kept in the secure element 20 for a long time. For example, these items are kept until the package 10 is removed from the secure element 20.
  • Preferably, these items are stored in a customized format which is different from the format of the CAP file so as to minimize their footprint or to ease their parsing.
  • In one embodiment, the items 60 are selected so that they refer to references external to the package 10 only. In other word, the selected items 60 are not intended to be used for solving the references which are internal to the package 10. Alternatively, items 60 may be selected so that they refer to both references external to the package and references internal to the package.
  • Although steps S2 and S3 have been described as two distinct steps they may be considered as a single step. For example, the following new structure may be used to store information which allows to establish a link between the Method component and a Constant Pool component customized for storage of a subset of items 60. This storage format allows to resolve references of the Method component: 
 relink_component {
    u16 ref_count;
    ref_info ref_infos[ref_count];
       }
       ref_info {
    u16 offset_in_method_component;
    u16 index_in_constant_pool;
             }
  • In order to illustrate the items which are extracted from the original components (of the CAP file), the Import component which is originally structured as follows: 
    • import_component {
     u1 tag
     u2 size
     u1 count
     package_info packages[count]
            }
     may be kept in the following format:
     import_component_Kept {
     u1 count
     package_info packages[count]
            }
  • When loading a CAP file, Class component is usually fully kept. However several data of the Class component are linked to the Operating System and then their original values are no more retained. According to an example of the invention, the new process extracts the data (with their original value) that will have to be re-linked later.
  • For example, the Class component may be originally structured as follows: 
    •  class_component {
     u1 tag
     u2 size
     u2 signature_pool_length
     type_descriptor signature_pool[]
     interface_info interfaces[]
     class_info classes[]
          }
    wherein the "interface info" and the "class info" are initially structured as follows: 
     interface_info {
     u1 bitfield {
          bit[4] flags
          bit[4] interface_count
     }
     class_ref superinterfaces[interface_count]
     interface_name_info interface_name
 }
    and 
     class_info {
     u1 bitfield {
          bit[4] flags
          bit[4] interface_count
     }
     class_ref super_class_ref
     u1 declared _instance_size
     u1 first_reference_token
     u1 reference_count
     u1 public_method_table_base
     u1 public_method_table_count
     u1 package_method_table_base
     u1 package_method_table_count
     u2
     public_virtual_method_table[public_method_table_count]
     u2
     package_virtual_method_table[package_method_table_count
 ]
     implemented_interface_info
     interfaces[interface_count]
     remote_interface_info remote_interfaces
 }
    and are kept on the following structures so that external references are extracted and stored for a further relink: 
     interface_info_kept {
     class_ref superinterfaces[interface_count]
 }
     and
     class_info_kept {
     class_ref super_class_ref
     u1 declared_instance_size
     u1 first_reference_token
     u2
     public_virtual_method_table[public_method_table_count]
     implemented_interface_info
     interfaces[interface_count]
 }
  • At step S4, the secure element 20 deletes part 50 of the CAP file components while keeping the selected items 60 in the secure element 20. For example, the following components are removed from the secure element 20: Header and Directory. In other words, the secure element 20 does not keep any information coming from these deleted components.
  • A CAP file may contain custom components which are usually kept, they can be also updated. Since these custom components are OS issuer dependent, there is no general rules to manage them. The optional Descriptor component is intended to be used if the on-board byte code verification is active. Consequently, the Descriptor component may be kept for the bytecode checking during runtime.
  • At step S5, an upgrade is applied to the original operating system 30 to generate a new (updated) operating system 31.
  • In a first example, the step S5 is carried out via a bootloader agent which is designed to administrate the operating system of the secure element 20. In this case, the updated Operating system 31 is fully sent to the secure element 20.
  • In this case, the bootloader is activated so that the behavior of the secure element 20 does not rely on the original operating system 30. Then the new operating system 31 is downloaded and in the secure element 20 via the bootloader. Then an activation command is sent to the secure element to switch from bootloader mode to the new operating system 31 mode and a further reset (i.e. hardware reboot) is applied to the secure element so that the secure element takes the new operating system 31 into account by starting the new operating system 31. In this example, the step S5 of updating the initial operating system 30 consists of the combination of execution of both the activation command and the reset.
  • In a second example, the step S5, may be carried out by downloading a bulk of data aiming at slightly modify the initial operating system (like a corrective patch or a new feature). In this case, the new/updated feature is active as soon as installed in the secure element (e.g. without requiring a reset). In this example, the step S5 of updating the initial operating system 30 consists of the installation of the new/updated feature.
  • It is to be noted that in all cases, the re-linking operation is performed when the updated operating system 31 is active on the secure element 20.
  • The end of the step S5 triggers the step S6 where a new linking (also named re-linking) operation of the package 10 to the updated operating system 31 is started. This re-linking operation is carried out using the stored items 60.
  • In other words, the re-linking step is automatically triggers by the end of the step S5 and is carried out using data permanently stored in the secure element. Preferably, the re-linking step is executed as soon as the step S5 is finished (i.e. directly executed). Alternatively, intermediate operations may occur between the end of the step S5 and the re-linking step.
  • Preferably, the items 60 which are permanently stored according to the invention, remain unchanged after the re-linking step so that a further re-linking step can be performed again after another operating system update.
  • Preferably, the re-linking operation of step S6 is carried out as follows.
  • First, the secure element 20 checks consistency (i.e. compatibility) of the package 10 with the updated operating system 31 thanks to items coming from the Import 51 component. This checking aims at controlling that the package is still compliant with the features of the updated operating system 31. In case of error, the re-linking operation aborts. In case of successful consistency checking, the secure element 20 resolves each external reference of the Class component of the package 10 using the stored items 60 and resolves each external reference of the Method component of the package 10 using the stored items 60.
  • Additionally, the secure element 20 may also resolve internal references of the Class component of the package 10 and the Method component of the package 10 using the stored items 60.
  • It is to be noted that the package re-linking process is applied to all packages previously installed in the secure element provided that these packages are compatible with the updated operating system.
  • Figure 2 shows an example a CAP file and a diagram of a secure element according to an example of the invention.
  • A package 10 is then created in the secure element 20 from the CAP file 40. The secure element 20 includes an original operating system 30 and is intended to comprise an updated operating system 31 (shown in dashed line). The updated operating system 31 is assumed to be an upgraded version of the original operating system 30.
  • In this example, the secure element 20 is a smart card comprising a communication interface (not shown) configured to exchange data with the outside according to ISO-7816 standards.
  • Both the original operating system 30 and the updated operating system 31 comprise a JavaCardTm virtual machine VM.
  • The secure element contains first software agent 70 which is configured to update the original operating system 30 to generate the updated operating system 31. The first software agent 70 is able to get a bulk of data coming from a distant machine and to update the original operating system 30 using the received data.
  • The secure element 20 comprises a second software agent 80 which is configured to link the package 10 to the updated operating system 31. The first agent 70 is configured to automatically trigger the second agent 80 for starting a (re-)linking of the package 10 at the end of the generation of the updated operating system 31.
  • The secure element 20 comprises a third software agent 90 which is configured to select, from the plurality of components of the CAP file 40, items 60 that are required to retrieve references to be updated during the (re-)linking step. The third software agent 90 is also configured to permanently store these items 60 in the secure element 20 and to remove at least one component 50 of the CAP file 40 from the secure element 20. Preferably, the third software agent 90 which is configured to extract these items 60 from the following components of the CAP file 40: the Import component 51, the Constant Pool component 52, the Reference Location component 53, the Class component 54 and the Method component 55.
  • Preferably, the third software agent 90 is adapted to remove the Header and Directory components (of the CAP file 40) from the secure element 20. The third software agent 90 may be configured to remove all the components of the CAP file 40, assuming that the selected items 60 are kept in the secure element 20 in another storage format.
  • The package 10 is assumed to comprise both its own Class component and its own Method component which may be stored in the secure element 20 according to any storage mechanism.
  • In the example of Figure 2, the second agent 80 is designed to process items coming from the Import component 51 to check if the package 10 is compatible with the updated operating system 31. In case of successful consistency (compatibility) checking, the second agent 80 is designed to resolve all external references of the Class component of the package 10 using the items 60 and to resolve all external references of the Method component of the package 10 using the items 60.
  • Thanks to the invention it is possible to easily and smoothly manage the migration of existing packages when the operating system is updated, by automatically maintaining alive the packages already installed in the 20. Thus the updating operation of the operating system can be performed in a transparent way for the user who keep a full continuity of service since the packages (and their related applications) remain functional.
  • The invention is not limited to the described embodiments or examples. In particular, the secure element may comprise several packages which are automatically re-linked as soon as the operating system is updated.
  • It is to be noted that the invention applies to package even if no application is instantiated from the package. The invention applies API (Application Programming Interface) package.

    • Claims (9)

    1. A method for managing a package (10) in a secure element (20) comprising an initial operating system (30), the method comprising a step of updating the initial operating system (30) to generate an updated operating system (31), the method comprising the step of linking the package (10) to the updated operating system (31), said linking step being triggered by the step of updating the initial operating system (30),
      characterized in that the package (10) is created from a CAP file (40) previously downloaded in the secure element (20), said CAP file (40) comprising a plurality of components, in that the method comprises the step of selecting, from said plurality of components, items (60) that are required to retrieve references to be updated during the linking step and permanently storing said items (60) in the secure element (20) and in that the method comprises the step of removing at least one component (50) of the CAP file (40) from the secure element (20).
    2. A method according to claim 1, wherein said items (60) are related to targets external to the package (10).
    3. A method according to claim 1, wherein the CAP file (40) comprises an Import component (51), a Constant Pool component (52), a Reference Location component (53), a Class component (54) and a Method component (55), and wherein said items (60) are selected from said Import, Constant Pool, Reference Location, Class and Method components (51, 52, 53, 54, 55).
    4. A method according to claim 3, wherein the package (10) comprises both its own Class component and its own Method component and wherein said linking step comprises the following sub-steps:
      - processing the Import (51) component to check consistency of the package (10) with the updated operating system (31), and in case of successful consistency checking, using said items (60) to:
      - resolve each external reference of the Class component of the package (10), and
      - resolve each external reference of the Method component of the package (10).
    5. A method according to claim 1, wherein said items (60) are permanently stored in the secure element (20) in a format different from that of the CAP file (40).
    6. A secure element (20) comprising a package (10) and an initial operating system (30), said secure element (SE) comprising a first agent (70) adapted to generate an updated operating system (31) by updating the initial operating system (30), said secure element (20) comprising a second agent (80) adapted to link the package (10) to the updated operating system (31), said first agent (70) being adapted to trigger the linking of the package (10) at the end of the updating of the initial operating system (30),
      characterized in that the package (10) is created from a CAP file (40) previously downloaded in the secure element (20), said CAP file (40) comprising a plurality of components and in that said secure element (SE) comprises a third agent (90) adapted to select, from said plurality of components, items (60) that are required to retrieve references to be updated during the linking step, to permanently store said items (60) in the secure element (20) and to remove at least one component (50) of the CAP file (40) from the secure element (20).
    7. A secure element (20) according to claim 6 wherein the CAP file (40) comprises an Import component (51), a Constant Pool component (52), a Reference Location component (53), a Class component (54) and a Method component (55) and wherein said third agent (90) is adapted to select said items (60) from said Import, Constant Pool, Reference Location, Class and Method components (51, 52, 53, 54, 55).
    8. A secure element (20) according to claim 7 wherein the package (10) comprises both its own Class component and its own Method component and wherein said second agent (80) is adapted to:
      - process data belonging to said items (60) and coming from the Import (51) component to check consistency of the package (10) with the updated operating system (31), and in case of successful consistency checking using said items (60) to:
      - resolve each external reference of the Class component of the package (10), and
      - resolve each external reference of the Method component of the package (10).
    9. A secure element (20) according to claim 6 wherein said third agent (90) is adapted to permanently store said items (60) in the secure element (20) in a format different from that of the CAP file (40).
    EP16802064.2A 2015-12-04 2016-11-29 Method for managing a package in a secure element Active EP3384383B1 (en)

    Applications Claiming Priority (2)

    Application Number Priority Date Filing Date Title
    EP15306927.3A EP3176695A1 (en) 2015-12-04 2015-12-04 Method for managing a package in a secure element
    PCT/EP2016/079062 WO2017093207A1 (en) 2015-12-04 2016-11-29 Method for managing a package in a secure element

    Publications (2)

    Publication Number Publication Date
    EP3384383A1 EP3384383A1 (en) 2018-10-10
    EP3384383B1 true EP3384383B1 (en) 2019-09-18

    Family

    ID=55079982

    Family Applications (2)

    Application Number Title Priority Date Filing Date
    EP15306927.3A Withdrawn EP3176695A1 (en) 2015-12-04 2015-12-04 Method for managing a package in a secure element
    EP16802064.2A Active EP3384383B1 (en) 2015-12-04 2016-11-29 Method for managing a package in a secure element

    Family Applications Before (1)

    Application Number Title Priority Date Filing Date
    EP15306927.3A Withdrawn EP3176695A1 (en) 2015-12-04 2015-12-04 Method for managing a package in a secure element

    Country Status (5)

    Country Link
    US (1) US10474447B2 (en)
    EP (2) EP3176695A1 (en)
    JP (1) JP6560824B2 (en)
    KR (1) KR102097644B1 (en)
    WO (1) WO2017093207A1 (en)

    Families Citing this family (3)

    * Cited by examiner, † Cited by third party
    Publication number Priority date Publication date Assignee Title
    US10936719B2 (en) * 2016-09-23 2021-03-02 Apple Inc. Preserving trust data during operating system updates of a secure element of an electronic device
    US10911939B2 (en) * 2017-06-14 2021-02-02 Huawei Technologies Co., Ltd. Embedded universal integrated circuit card profile management method and apparatus
    DE102017006950A1 (en) * 2017-07-21 2019-01-24 Giesecke+Devrient Mobile Security Gmbh Maintaining a network connection

    Family Cites Families (22)

    * Cited by examiner, † Cited by third party
    Publication number Priority date Publication date Assignee Title
    US6880155B2 (en) * 1999-02-02 2005-04-12 Sun Microsystems, Inc. Token-based linking
    US7506175B2 (en) * 2000-11-06 2009-03-17 International Business Machines Corporation File language verification
    US6779732B2 (en) * 2001-08-31 2004-08-24 Schulumberger Malco, Inc. Method and apparatus for linking converted applet files
    JP2003216431A (en) * 2002-01-18 2003-07-31 Cec:Kk Ic card operating system updating system and ic card used therein
    US8032872B2 (en) * 2006-01-09 2011-10-04 Oracle America, Inc. Supporting applets on a high end platform
    ITMI20080536A1 (en) * 2008-03-28 2009-09-29 Incard Sa METHOD TO PROTECT A CAP FILE FOR AN INTEGRATED CIRCUIT CARD.
    DE102008033976A1 (en) * 2008-07-21 2010-01-28 Giesecke & Devrient Gmbh Loading and updating a personalization application
    US8555067B2 (en) * 2010-10-28 2013-10-08 Apple Inc. Methods and apparatus for delivering electronic identification components over a wireless network
    EP2461613A1 (en) * 2010-12-06 2012-06-06 Gemalto SA Methods and system for handling UICC data
    US20140019760A1 (en) * 2010-12-06 2014-01-16 Gemalto Sa Method for personalizing a secure element comprised in a terminal
    KR101716743B1 (en) * 2012-02-14 2017-03-15 애플 인크. Mobile apparatus supporting a plurality of access control clients, and corresponding methods
    FR2993682B1 (en) * 2012-07-20 2014-08-22 Oberthur Technologies UPDATE OF AN OPERATING SYSTEM FOR SECURE ELEMENT
    DE102012015573A1 (en) * 2012-08-07 2014-02-13 Giesecke & Devrient Gmbh Method for activating an operating system in a security module
    CN104412285A (en) * 2012-08-24 2015-03-11 Jvl风险投资有限责任公司 Systems, methods, and computer program products for securing and managing applications on secure elements
    US9633098B2 (en) * 2012-09-25 2017-04-25 Visa International Service Association System and method for maintaining device state coherency
    US9910659B2 (en) * 2012-11-07 2018-03-06 Qualcomm Incorporated Methods for providing anti-rollback protection of a firmware version in a device which has no internal non-volatile memory
    EP2884692B1 (en) * 2013-12-13 2020-05-20 Nxp B.V. Updating software on a secure element
    US9436455B2 (en) * 2014-01-06 2016-09-06 Apple Inc. Logging operating system updates of a secure element of an electronic device
    US9483249B2 (en) * 2014-01-06 2016-11-01 Apple Inc. On-board applet migration
    US9934014B2 (en) * 2014-08-22 2018-04-03 Apple Inc. Automatic purposed-application creation
    US10664257B2 (en) * 2015-05-06 2020-05-26 Apple Inc. Secure element activities
    US11050726B2 (en) * 2016-04-04 2021-06-29 Nxp B.V. Update-driven migration of data

    Non-Patent Citations (1)

    * Cited by examiner, † Cited by third party
    Title
    None *

    Also Published As

    Publication number Publication date
    WO2017093207A1 (en) 2017-06-08
    JP2018533796A (en) 2018-11-15
    JP6560824B2 (en) 2019-08-14
    KR20180077249A (en) 2018-07-06
    US10474447B2 (en) 2019-11-12
    EP3384383A1 (en) 2018-10-10
    US20180357059A1 (en) 2018-12-13
    EP3176695A1 (en) 2017-06-07
    KR102097644B1 (en) 2020-05-26

    Similar Documents

    Publication Publication Date Title
    US10409588B2 (en) Method for managing objects in a secure element
    US9820139B1 (en) Method for performing a remote management of a multi-subscription SIM module
    US10430177B2 (en) Method for updating a package
    EP3384383B1 (en) Method for managing a package in a secure element
    US10248795B2 (en) Implementing method for JavaCard application function expansion
    CN109195157B (en) Application management method and device and terminal
    KR101502977B1 (en) A personal token having enhanced abilities for delivering HTML data
    CN110362350B (en) Managing multiple operating systems in an integrated circuit card
    CN116244764A (en) Method and system for generating device unique ID of Android device
    US20190147193A1 (en) Method for a first start-up operation of a secure element which is not fully customized
    EP3324655A1 (en) Method for managing a patch of a sofware component in a euicc
    CN107851044B (en) Integrated circuit card adapted to transfer first data from a first application for use by a second application
    US20230084048A1 (en) Methods and terminal for updating converted applet file, and Java Card device
    CN109547999B (en) Method for managing integrated circuit card, corresponding card and device
    EP3683708A1 (en) Method for managing a package of an application
    WO2024012717A1 (en) Update agent for multiple operating systems in a secure element
    CN115208945A (en) Android system upgrading method and related equipment thereof

    Legal Events

    Date Code Title Description
    STAA Information on the status of an ep patent application or granted ep patent

    Free format text: STATUS: UNKNOWN

    STAA Information on the status of an ep patent application or granted ep patent

    Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

    PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

    Free format text: ORIGINAL CODE: 0009012

    STAA Information on the status of an ep patent application or granted ep patent

    Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

    17P Request for examination filed

    Effective date: 20180704

    AK Designated contracting states

    Kind code of ref document: A1

    Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

    AX Request for extension of the european patent

    Extension state: BA ME

    REG Reference to a national code

    Ref country code: DE

    Ref legal event code: R079

    Ref document number: 602016020992

    Country of ref document: DE

    Free format text: PREVIOUS MAIN CLASS: G06F0009445000

    Ipc: G06F0008650000

    DAV Request for validation of the european patent (deleted)
    DAX Request for extension of the european patent (deleted)
    GRAP Despatch of communication of intention to grant a patent

    Free format text: ORIGINAL CODE: EPIDOSNIGR1

    STAA Information on the status of an ep patent application or granted ep patent

    Free format text: STATUS: GRANT OF PATENT IS INTENDED

    RIC1 Information provided on ipc code assigned before grant

    Ipc: G06F 16/23 20190101ALI20190308BHEP

    Ipc: G06F 8/65 20180101AFI20190308BHEP

    INTG Intention to grant announced

    Effective date: 20190401

    RIN1 Information on inventor provided before grant (corrected)

    Inventor name: FRANCHI, CHRISTOPHE

    Inventor name: VERGNES, FABRICE

    Inventor name: MARSEILLE, FRANCOIS-XAVIER

    GRAS Grant fee paid

    Free format text: ORIGINAL CODE: EPIDOSNIGR3

    GRAA (expected) grant

    Free format text: ORIGINAL CODE: 0009210

    STAA Information on the status of an ep patent application or granted ep patent

    Free format text: STATUS: THE PATENT HAS BEEN GRANTED

    RAP1 Party data changed (applicant data changed or rights of an application transferred)

    Owner name: THALES DIS FRANCE SA

    AK Designated contracting states

    Kind code of ref document: B1

    Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

    REG Reference to a national code

    Ref country code: GB

    Ref legal event code: FG4D

    REG Reference to a national code

    Ref country code: CH

    Ref legal event code: EP

    REG Reference to a national code

    Ref country code: DE

    Ref legal event code: R096

    Ref document number: 602016020992

    Country of ref document: DE

    REG Reference to a national code

    Ref country code: AT

    Ref legal event code: REF

    Ref document number: 1182116

    Country of ref document: AT

    Kind code of ref document: T

    Effective date: 20191015

    REG Reference to a national code

    Ref country code: IE

    Ref legal event code: FG4D

    REG Reference to a national code

    Ref country code: NL

    Ref legal event code: MP

    Effective date: 20190918

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: SE

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: BG

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20191218

    Ref country code: LT

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: HR

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: FI

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: NO

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20191218

    REG Reference to a national code

    Ref country code: LT

    Ref legal event code: MG4D

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: LV

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: AL

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: RS

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: GR

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20191219

    REG Reference to a national code

    Ref country code: AT

    Ref legal event code: MK05

    Ref document number: 1182116

    Country of ref document: AT

    Kind code of ref document: T

    Effective date: 20190918

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: ES

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: AT

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: NL

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: RO

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: IT

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: EE

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: PL

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: PT

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20200120

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: SM

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: IS

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20200224

    Ref country code: CZ

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: SK

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    REG Reference to a national code

    Ref country code: DE

    Ref legal event code: R097

    Ref document number: 602016020992

    Country of ref document: DE

    REG Reference to a national code

    Ref country code: CH

    Ref legal event code: PL

    PLBE No opposition filed within time limit

    Free format text: ORIGINAL CODE: 0009261

    STAA Information on the status of an ep patent application or granted ep patent

    Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

    PG2D Information on lapse in contracting state deleted

    Ref country code: IS

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: LI

    Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

    Effective date: 20191130

    Ref country code: CH

    Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

    Effective date: 20191130

    Ref country code: MC

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: DK

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    Ref country code: LU

    Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

    Effective date: 20191129

    Ref country code: IS

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20200119

    REG Reference to a national code

    Ref country code: BE

    Ref legal event code: MM

    Effective date: 20191130

    26N No opposition filed

    Effective date: 20200619

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: SI

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: IE

    Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

    Effective date: 20191129

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: BE

    Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

    Effective date: 20191130

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: CY

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: HU

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

    Effective date: 20161129

    Ref country code: MT

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: TR

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

    Ref country code: MK

    Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

    Effective date: 20190918

    P01 Opt-out of the competence of the unified patent court (upc) registered

    Effective date: 20230426

    PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

    Ref country code: GB

    Payment date: 20231019

    Year of fee payment: 8

    PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

    Ref country code: FR

    Payment date: 20231019

    Year of fee payment: 8

    Ref country code: DE

    Payment date: 20231019

    Year of fee payment: 8